International Peer Review of the Financial Audit Practice of the Icelandic National Audit Office

Transcription

1 Internatinal Peer Review f the Financial Audit Practice f the Reprt by the Supreme Audit Institutins f the Netherlands, Nrway and Sweden, December

2 Cntents 1 Intrductin 3 2 Findings n INAO s financial audit practice Intrductin Institutinal cntext Legal tasks INTOSAI Standards Organizatin f the financial audit practice Psitining f the financial audit department Capacity Audit prcess and audit manual Audit management systems Outsurcing Audit bjects Planning (including risk analysis) Overall audit planning: annual audit strategy/plan (including verall risk analysis) Individual audit planning: individual audit plan/prgram (including risk analysis) Quality cntrl and assurance Executin Dcumentatin and audit trail Reprting 17 3 Cnclusins and recmmendatins Intrductin Main cnclusin Specific cnclusins and recmmendatins In general Institutinal cntext Organizatin f the financial audit practice Audit bjects 23 1

3 3.3.5 Planning/risk analysis Quality cntrl and assurance Executin Dcumentatin and audit trail Reprting 26 4 Respnse f INAO 28 Annex 1: Audit methdlgy used in the peer review 30 Annex 2: Stakehlders interviewed 36 Annex 3: Members f the peer review team 37 2

4 1 Intrductin The (INAO) requested the Netherlands Curt f Audit (NCA) t assess whether the INAO s financial audit practice (including cmpliance audit aspects which are relevant t and part f financial audit) is in accrdance with generally accepted practices in gvernment auditing (especially Internatinal Standards fr Supreme Audit Institutins). In the first half f 2012 the NCA, tgether with clleagues frm the Nrwegian and Swedish Supreme Audit Institutins, als perfrmed a peer review n the perfrmance audit practice f the INAO. This reprt was published in December In April 2013 the INAO and the NCA agreed a Memrandum f Understanding t cnduct the peer review f the financial audit practice f the INAO. An internatinal team with representatives f the audit ffices f the Netherlands, Nrway and Sweden cnducted the actual peer review in May-August The draft reprt was submitted t the Auditr General f the INAO n December 5 th The INAO respnded n December 9 th This respnse is included in chapter 4. The main bjective f the peer review was t identify the extent t which the financial audit practice f the INAO is int line with the Internatinal Standards fr Supreme Audit Institutins (ISSAIs) f INTOSAI 1 and what recmmendatins culd be made t further imprve the financial audit practice f the INAO. It was agreed in the Memrandum f Understanding that the peer review wuld fcus n three main questins: 1. What is the quality f the INAO s financial audits and t what extent are they in accrdance with INTOSAI standards? 2. What recmmendatins can be given t the INAO t imprve the quality f its financial audits? 3. Hw can the INAO s risk assessment cncerning the financial audits be imprved, t reduce the audit gap? T answer these questins the peer review team develped a questinnaire based n previus experience with peer reviews and the ISSAIs. The 1 Internatinal Organizatin f Supreme Audit Institutins. 3

5 questinnaire cnsisted f tw parts: ne part n the general rganizatin, prcesses and prcedures f INAO s financial audit practice, and anther part with a specific checklist fr five individual financial audits reviewed by the peer review team. The methdlgy used t answer these questins is summarized in annex 1. Annex 2 lists all the rganizatins interviewed by the peer review. The members f the peer review team are summed up in annex 3. The peer review team cnducted its review in accrdance with the INTOSAI standard fr peer reviews (ISSAI 5600). Standards used in the peer review were mainly based n ISSAIs cncerning financial auditing. The very recently (Octber 2013) adpted ISSAIs 100, 200 and 400 (Fundamental Principles f Public Sectr Auditing, Financial Auditing and Cmpliance Auditing) were nt yet endrsed during the executin phase f the peer review, s these were nt used. The peer review s scpe was limited t the financial audit f the accunts fr the fiscal year Mnitring the executin f the Budget (Natinal Audit Act (86/1997), sectin 8) was nt part f the scpe f the peer review. 2 Where relevant, imprvements made by the INAO in 2013 were als taken int accunt in drafting this peer review reprt. The findings f the peer review are presented in chapter 2 and the cnclusins and recmmendatins are presented in chapter 3. 2 This task is nt a task f the Financial Audit Department. 4

6 2 Findings n INAO s financial audit practice 2.1 Intrductin In this chapter the peer review team presents its main findings n the INAO s financial audit practice. First f all, we wuld like t stress the nature f these findings: a critical finding shuld nt be interpreted as a shrtcming per se, but as a cmparisn with the extensive INTOSAI Standards (ISSAIs). The INAO is still in the prcess f adpting ISSAIs and is nt finished yet. Implementing ISSAIs is a big challenge t all Supreme Audit Institutins (SAIs), especially fr relatively small SAIs such as the INAO. In this light, critical findings shuld be interpreted as bservatins that can be used by the INAO t further bring its financial audit practice int line with INTOSAI standards. 2.2 Institutinal cntext Legal tasks The authrity and tasks f the INAO are laid dwn in the Natinal Audit Act (86/1997). Sectin 8 f the Natinal Audit Act, which regulates the financial audit, states that the financial audit practice shall at any given time be in particular aimed at: ensuring that the financial statements present fairly the peratins and financial psitin in accrdance with generally accepted accunting principles; examining internal cntrl and whether it assures adequate results; ensuring that accunts are in cnfrmity with authrisatins under the Budget, the Supplementary Budget r any ther Acts f Althingi (Parliament), lawful instructins, business practice r service cntracts as applicable; examining and verifying the indicatrs that shw the activity and perfrmance f gvernmental entities and that are reprted in the financial statements. 5

7 An imprtant develpment is the amendment f the Natinal Audit Act. A draft Bill 2013 cntains the fllwing (main) changes: the Auditr General will be elected by Parliament; increased transparency (right f access t dcuments); bligatry implementatin f ISSAIs. The Bill is expected t be presented t Parliament during the next regular sessin f Parliament. Especially imprtant fr the peer review is the bligatry implementatin f ISSAIs (see sectin 2.2.2). As can be deduced frm the abve-mentined legal tasks with regard t financial audit, the INAO is nt specifically required t issue an pinin n the legality and regularity f the financial transactins underlying the accunts. 3 Its task seems t be restricted t auditing the reliability (true and fair view) f the accunts, including the regularity f the accunts (nt the underlying transactins). 4 Hwever, the INAO has stated that it interprets this task in a brad manner, whereby cmpliance with laws, regulatins and applicable rules is cnsidered as part f the financial audit. On the ther hand, the INAO has a legal task which is unusual fr many SAIs: t mnitr the executin f the Budget. 5 In many cuntries this is a task f the Ministry f Finance. It is als imprtant t nte that the INAO perfrms anther rle (nnbligatry) that is unusual fr SAIs: preceding the financial audit, the INAO helps smaller agencies prepare their accunts. The INAO s reprt n the audit f the 2011 central gvernment accunts states: The INAO has rendered assistance t many agencies in cnnectin with the annual 3 The Reprt n the 2011 Central Gvernment Accunts cntains the fllwing pinin: It is the pinin f the INAO that the central gvernment accunts present a true and fair view f the results f the peratins f the Treasury, gvernment agencies and funds in Grups A t E entities in 2011, its financial psitin as f 31 December 2011 and change in cash psitin in 2011, in accrdance with acts f law cncerning annual financial statements and gvernment financial reprting. In the pinin f the peer review team this is an pinin n the reliability (true and fair view) f the accunts, because cmplying with laws and regulatins regarding financial reprting is part f the reliability pinin. The pinin des nt cntain a statement n the legality and regularity f the financial transactins underlying the accunts. 4 Sme (nt all) SAIs, fr example the Nrwegian, Swedish and Dutch SAIs, issue an annual pinin n bth the true and fair view (f financial statements) and the legality and regularity (f underlying financial transactins). The legality and regularity audit checks whether public mney is received (revenues) and spend (expenses) in accrdance with the rules. This is seen as a very imprtant task fr SAIs: they must assure nt nly that the central gvernment issues reliable accunts, which prvide an insight int the assets and liabilities (financial psitin) and revenues and expenses (financial perfrmance), but als assure that the central gvernment prvides value fr mney by ensuring that financial transactins are in accrdance with applicable laws and regulatins. 5 As stated this task is nt a task f the Financial Audit Department. The perfrmance f this task is nt part f the scpe f the peer review. 6

8 financial audits t be able t present annual financial statements in the frm that is applicable in the regular market but there has been a systematic reductin in such assistance in recent years due t changes in emphasis in audits INTOSAI Standards A very imprtant and challenging prcess fr the INAO is the implementatin f the Internatinal Standards f Supreme Audit Institutins (ISSAIs). The ISSAI framewrk, frmally established in 2007, reflects the ambitin f INTOSAI t prvide its members and ther interested parties with a framewrk f prfessinal high-quality auditing standards. The first cmplete set f ISSAIs was presented and endrsed at the INTOSAI Cngress in Suth Africa at the end f As nted abve, implementatin f the ISSAIs will be bligatry fr the INAO after implementatin f the new Natinal Audit Act. The INAO has already decided t implement the ISSAIs vluntarily, and this prcess started late 2011, with, fr example, training emplyees and preparing instructins. An external Certified Public Accuntant (CPA) has been hired as a cnsultant t prvide guidance during the implementatin prcess. Implementing the ISSAIs n financial auditing, which cntain a large number f requirements, is a majr challenge t all SAIs, and especially fr smaller SAIs such as the INAO. Adptin f the ISSAIs is a multi-year prcess fr all SAIs, and the INAO is nw in the prcess f implementing them. This means that the 2012 audits, which were the bject f this peer review, were nt yet cmpletely ISSAI-prf. The INAO has prepared an ISSAI implementatin plan fr 2012, including time schedules. There is n frmal additinal implementatin plan fr In Octber 2013 INTOSAI endrsed sme new fundamental auditing principles. ISSAIs 100, 200 and 400 (Fundamental Principles f Public Sectr Auditing, Financial Auditing and Cmpliance Auditing) are very imprtant fr the financial audit practice. As the ISSAIs were nt endrsed yet during the executin phase f the peer review, the financial audit practice f the INAO was nt cmpared t these ISSAIs. 7

9 2.3 Organizatin f the financial audit practice Psitining f the financial audit department The INAO has tw main departments: financial audit and perfrmance audit. The diagram belw shws the rganizatinal structure f the INAO: Capacity The INAO emplys 42 staff in ttal, f whm 21 wrk in the financial audit practice. The INAO is therefre a relatively small SAI. The Financial Audit Department is run by a financial audit directr. Fur audit divisin managers are respnsible fr executing the audits with their team f (senir) auditrs; the managers actively participate in the audit teams. The Auditr General is als invlved in the planning and reprting phases f the financial audits, and is respnsible fr the verall financial audit practice. The financial auditrs are all highly educated: fur CPAs (the INAO emplys five CPAs including the Auditr General) and 16 emplyees with a university degree (the 21 st emplyee is a secretary). The average age f the INAO s staff is 53 and the average emplyment length is 14 years. 6 CPAs are respnsible fr perfrming the financial audits f the mst imprtant audit bjects: the larger entities f the A-part f the budget (see sectin 2.4) and all nt-utsurced - entities utside the A-part. Other auditrs (nt CPAs) perfrm the audits f smaller entities f the A-part f the Budget. Accrding t the INAO, it is difficult t hire new CPAs because f gvernment salary restrictins, althugh at the mment increasing the number f CPAs is nt a target in itself at INAO. Accrding t the INAO, in the nearby future 6 After cmpletin f the peer review these figures changed: average age is nw 54, average emplyment length is nw 15,5 years. 8

10 there will pssibly a need fr mre CPA-expertise because f the further implementatin f the ISSAIs and the prpsed implementatin f Internatinal Public Sectr Accunting Standards (IPSAS) in Icelandic public sectr (Draft Bill n public finance f Parliament). It is imprtant t nte that the INAO has stated in publicatins that it des nt have enugh staff t perfrm financial audits at all audit bjects every year (see sectins and 2.5.1). The INAO has stated that it had a deficit fr tw years and has experienced staff reductins. The scarce capacity als results in a relatively lw degree f auditr rtatin amng audit bjects. The INAO is f the pinin that it has a shrtage f staff. 7 The auditr s independence frm the audit bject is very imprtant. The INAO uses statements f auditr independence fr this purpse Audit prcess and audit manual The financial audit prcess is clearly structured int the custmary phases f planning, executin and reprting, and is fr the 2012 financial audits, the bject f the peer review - partially dcumented in the dcument Risk-based selectin f tasks fr Financial Auditing. The main phases distinguished in this dcument are risk analysis and audit task planning (planning-phase), risk-based audit (executin-phase) and summary and analysis f the cnclusins and reprting (reprting-phase). Accrding t ISSAI 1200, manuals and ther written guidance and instructins cncerning the cnduct f the audits have t be prepared. INAO has prepared Financial Audit Guidelines, which describe the principles and practice f the financial audit and prvides reasns and justificatins fr deviatins frm the applicable ISSAIs. The INAO has als prepared wrking papers (templates) fr certain audit prcedures. The 2012 financial audits did nt fully cmply yet with these Financial Audit Guidelines. The INAO is in the prcess f adapting the financial audit practice t the requirements f the Financial Audit Guidelines. Key steps fr the INAO are t evaluate whether the Financial Audit Guidelines are ISSAI-prf (and whether deviatins are justifiable) 8 and t implement the Financial Audit Guidelines in full. 7 The Lima Declaratin f INTOSAI, ISSAI 1, states in Sectin 7, Financial independence f Supreme Audit Institutins: 1.Supreme Audit Institutins shall be prvided with the financial means t enable them t accmplish their tasks. 8 It was nt pssible fr the peer review team t cmpare the Financial Audit Guidelines with the ISSAIs, because nly the first chapter and the table f cntents culd be translated fully in English. 9

11 2.3.4 Audit management systems The financial audit prcess is incrprated in tw audit management systems, Descartes and TeamMate. Descartes is used fr larger entities and TeamMate fr smaller entities. Descartes cntains build-in ISAs 9 but TeamMate des nt. Sme parts f the audit are dcumented utside f these tw systems in an electrnic file system (ONE) r n the harddisk f the INAO. Partly because f the use f different audit management systems nt all financial audits are executed similarly. The use f different systems culd lead t inefficiency Outsurcing The INAO can utsurce sme f its tasks t independent chartered accuntants. Sectin 4 f the Natinal Audit Act gives the INAO permissin t utsurce its tasks: The Natinal Audit Office is entitled t appint independent chartered accuntants r ther experts in a specific field t carry ut specific assignments entrusted t the Office in this present Act r ther specific laws. The INAO states that it is unable t perfrm all financial audits itself, because f capacity restrictins. Fr the year 2012 the INAO hired external audit capacity mstly fr the financial audit f the B-part (gvernment enterprises), the C-part (lending agencies), the D-part (gvernment financial institutins), and the E-part (enterprises wned fr ver 50% by the gvernment) f the Budget. The majrity f entities utside f the A-part f the Budget is audited by external audit firms. In 2012 a ttal f 39 institutins f the A-part f the Budget were audited by external audit firms, accunting fr 5% f A-part expenditure. A final bservatin is that the INAO uses the wrk f hired external auditrs fr entities in A-part f the Budget withut reviewing the quality f their wrk and the apprpriateness f their reprts and pinins. It culd be argued that accrding t the ISSAIs (1600) the INAO shuld review the wrk f hired auditrs, because the INAO uses the wrk f these private sectr chartered accuntants fr its wn audit pinin. 10 ISSAI 1600 utlines the respnsibility f the grup auditr fr the 9 Internatinal Standards n Auditing, issued by the Internatinal Federatin f Accuntants (IFAC). These ISAs frm the basis f mst f the ISSAIs. 10 The INAO als utsurces audits fr B-E-part f the Budget, but these audits are nt used by the INAO fr its wn audit pinin, s this finding nly cncerns utsurced audits regarding A-part f the Budget. 10

12 directin, supervisin and perfrmance f an audit perfrmed by a cmpnent auditr in cmpliance with prfessinal standards and applicable legal and regulatry requirements, and fr making sure that the auditr s reprt is apprpriate in the circumstances. 2.4 Audit bjects Article 1 f the Natinal Audit Act (N. 86/1997) states that the INAO shall:...audit the central gvernment accunts and the accunts f thse bdies that are invlved in the peratin f an entity n the management f funds fr the gvernment.... The gvernment accunts are divided int five grups: 1. Grup A: the highest authrity f the state, i.e., the Office f the President, the Althingi, the Cabinet and the Supreme Curt, as well as ministries and gvernment agencies, including certain funds; als thse nn-gvernment entities fr which the Treasury finances all r mst f their peratins with apprpriatins r is financially respnsible fr their peratins by law r cntract. 2. Grup B: gvernment enterprises perating in the market, the csts f which are fully r fr the mst part financed frm revenue f the sales f gds and services t the public and enterprises. 3. Grup C: lending agencies wned by the gvernment, ther than depsit mney banks. 4. Grup D: gvernment financial institutins, including banks and insurance cmpanies wned by the gvernment. 5. Grup E: unincrprated enterprises and jint-stck cmpanies that are wned by the gvernment fr mre than ne-half. As nted abve, the INAO has stated that because f capacity restrictins it is unable t audit all gvernment bdies every year (see als sectin 2.5.1). Sme data: In all, there are 436 audit bjects in Part A f the Budget, three in Part B, five in Part C, tw in Part D and 25 in Part E. All audit bjects in Parts B-E are annually audited, either by the INAO r by hired audit firms. Of the A-part f the Budget 429 Budget items are subject t audits n expenditure (7 are subject t revenue audit r balance sheet audit). Of these 429 Budget items, there are 85 Budget items with expenditure f mre than 1 billin ISK, accunting fr 80% f ttal expenditure, 66 Budget items with expenditure between 500 and 999 millin ISK, accunting fr 10% f ttal expenditure, and 278 Budget items with expenditure less than 500 millin ISK, accunting fr 10% f ttal expenditure. 11

13 In ttal 194 f the 429 Budget items are serviced by the State Accunting Office (SAO), accunting fr 23% f the ttal expenditure. These items are cnsidered t have a lw risk t the fair view f their financial statements. The audit f 39 institutins is utsurced (5% f ttal expenditure). The audit f 72 f the 429 Budget items was nt cvered in the three-year cycle. Institutins vary cnsiderably in size, frm having nly ne emplyee up t several thusand emplyees. Of 436 Budget items, 194 can be defined as institutins. On average, institutins are relatively small with fewer than 50 emplyees. 2.5 Planning (including risk analysis) Overall audit planning: annual audit strategy/plan (including verall risk analysis) The INAO dcumented its verall annual audit plan fr 2012 in the dcument Risk-based selectin f tasks fr financial auditing. Because f the inability t audit all audit bjects every year, it is necessary t priritize and select the mst imprtant audit bjects each year. The INAO tries t cver all Budget items every three years, but limited resurces have made this difficult: 72 entities have nt been audited in the past three years. The cre f the selectin f audit bjects is frmed by ten risk factrs. All audit bjects are scred n these risk factrs, and n the basis f this analysis the audit bjects t be audited in year n are selected. The risk factrs are: Risk factr A Scpe f expenditures; Risk factr B Serius earlier reservatins frm the INAO; Risk factr C Change in peratin r rerganizatin; Risk factr D Operatin significantly exceeds/within budget year after year systematic underestimatin; Risk factr E Negative equity; Risk factr F Reliable accunting and payment arrangement insufficient segregatin f duties; Risk factr G Budgetary item nt audited in the past fur years; Risk factr H Fraud and abuse risk; Risk factr I Nature f the budgetary item; Risk factr J Special revenue significantly exceeding apprpriatins year after year. In practice the selectin is mainly n factr A, scpe f expenditures. 12

14 The risk that the INAO will nt be able t audit every audit bject nce every three years already became reality, as nted abve. Fr the audits t be effective, it is crucial that INAO s selectin f audit bjects is sufficiently risk-based. In additin, the financial audit scpe must be wide enugh t ensure that an pinin can be given n the true and fair view f the central gvernment accunts. As nted abve, the INAO uses sme f its capacity t help sme smaller rganizatins prepare their accunts. In the pinin f the peer review team this shuld nt be a task f the INAO as the external auditr. 11 The INAO has started (2013) t audit smaller, similar rganizatins as grups instead f as individual audit entities. The INAO has als started (2013) t reduce the perfrming f nn-bligatry services at the request f entities (perfrming nn-bligatry financial audits and/r issuing nnbligatry audit pinins). The INAO als wishes t utsurce all audits f B-E-part f the Budget in the future, and cncentrate n the A-part f the Budget. Hwever, the INAO is still uncertain whether this is feasible. Finally, nt many audit bjects currently have an internal audit functin. An increase in the number f internal audit departments is pssible, in which case the INAO culd determine whether it culd rely n the wrk f internal auditrs (ISSAI 1610) t reduce the wrklad Individual audit planning: individual audit plan/prgram (including risk analysis) ISSAI 1300 requires the auditr t develp an audit plan fr each individual financial audit. The INAO has n standard templates fr audit plans fr individual financial audits. The audit plans used by the INAO s audit teams differ frm each ther. The audit plans that were used in the five financial audits reviewed during the peer review were nt separate, cmplete dcuments. Often, parts f the planned audit steps and prcedures were dcumented nly in different parts f the audit management systems, nt in a separate, cmprehensive dcument. Sme audits lacked sme f the necessary elements f an audit plan, fr example capacity, milestne planning and quality cntrl measures. Furthermre, there is n prcedure fr frmal apprval f the audit plan by the apprpriate engagement partners (ISSAI 1300), in the case f the INAO the financial audit directr and the Auditr General; their invlvement is infrmal and they are cncerned chiefly with critical matters. There is therefre a risk that the respnsible peple are nt fully 11 See als ISSAI 11, principle 3: SAIs shuld nt be invlved r be seen t be invlved, in any manner, whatsever, in the management f the rganizatins that they audit." 13

15 infrmed abut each audit plan, and are nt able t make required changes in an audit easily nce the audit has started. Althugh there is n standard audit plan, the use f Descartes and TeamMate means that sme degree f standardizatin is in place: bth these audit management systems (which differ frm each ther) require the use f sme standard audit steps and prcedures. A secnd bservatin cncerns the risk analysis used in the planning phase f individual audits (ISSAI 1315). In the five audits that were reviewed during the peer review risk analysis was used by the audit teams, but the relatinship between the assessed risks accrding t the risk analysis and the chice f audit prcedures (mix f tests f cntrls and substantive prcedures) was nt always clear. Often, a standard (substantive-prcedures based) audit apprach was chsen, with n clear relatin t the assessed inherent and internal cntrl risks. Mrever, inherent risks and internal cntrl risks were nt always assessed separately. Furthermre, audit plans are nt discussed with the auditees. The advantage f discussing (summaries f) audit plans with auditees is that it gives the auditee insight int the audit effrt and imprves the audit impact. The annuncement f audit activities can trigger auditees in an early stage t direct their attentin t imprving the systems r prcedures cncerned. A final bservatin cncerns ISSAI 1240 n the auditr s respnsibilities relating t fraud in an audit f financial statements. Accrding t this standard, there has t be a discussin abut fraud risks in the planning phase amng the engagement team members and als with the auditee. Als there has t be a determinatin by the engagement partner f hw and where the entity s financial statements may be susceptible t material misstatement due t fraud, including hw fraud might ccur. Such discussins did nt always take place r were nt prperly dcumented in the audits subject t the peer review. 2.6 Quality cntrl and assurance The INAO is wrking hard t implement an ISSAI-prf quality cntrl (QC) system fr its financial audits. The INAO already has in place sme QC instruments, but there is n written and defined QC effectively in use. INAO is in the prcess f implementing a mre thrugh ISSAI-prf QC system, but states that the scarcity f staff is a prblem t implement 14

16 active and efficient QC measures (fr example perfrming internal reviews). There is a QC dcument in draft, based n an IFAC-reprt n QC fr small and medium enterprises. This draft is apprved by the financial audit directr, and nw needs apprval f the Auditr General. The challenge fr the INAO, being a relatively small SAI, is t implement an adequate but at the same time feasible QC system. The mst imprtant QC instruments used by the INAO befre the start f the implementatin f ISSAIs were knwledge and experience: hiring adequate auditrs (educatin, experience) and training auditrs. Direct supervisin by the divisin manager is als a QC instrument that is already in place; divisin managers are als part f the team fr the larger audits. The INAO recently implemented a QC checklist t ensure the quality f each financial audit. Furthermre CPAs are respnsible fr the larger and mre cmplex audits. Anther measure is t review (althugh nt always visibly s) all reprts/accunts by the audit divisin manager, financial audit directr and Auditr General. Hwever, audit files are nt reviewed by a qualified auditr utside the audit team; the INAO states that this is due t lack f staff. In the Reprt n transparency 2013 the fllwing principal aspects f the QC system are given by the INAO: accuntability fr quality issues (all emplyees respnsible; Auditr General ultimately respnsible); independence and rules f cnduct; apprval f new and business relatinships ; persnnel issues (sufficient staff, cntinuing educatin); success f auditing and ther tasks (standard templates, frms, checklists); mnitring (supervisin); dcumentatin f wrking papers. The QC system which has nw been drafted generally cntains the main elements f ISSAI 1220 n QC. The (visible) rle f the engagement partner is crucial (apprval f crucial decisins, like audit plan; supervisin; review; etc.); this still has t be frmalized. Sme ther imprtant aspects that can be imprved are standard templates (fr example fr audit plans) and reviewing f audit files by a qualified persn utside the audit team. Apart frm these QC measures the INAO uses sme quality assurance (QA) methds. External quality cntrllers visit the INAO t evaluate all audits perfrmed by CPAs (latest visit was Nvember 2010: Auditrs Oversight Bard). Furthermre, the INAO has hired an external audit firm 15

17 in the past (fur years ag) t review wrking papers, t ensure that wrk was carried ut in accrdance with ISAs. Peer reviews are als QA instruments: in 1997 by the UK NAO and in 2013 by Dutch, Nrwegian and Swedish SAIs. 2.7 Executin Our review f five individual financial audits fund that the audits were in general executed as planned. We did have sme bservatins. Firstly, we bserved sme unnecessary differences in the executin f the audits. There is rm fr mre standardizatin in perfrming the audits. This bservatin is related t ur bservatins n the lack f a standard audit plan and the use f tw audit management systems. Secndly, tests f internal cntrl in the audits reviewed ften seemed t be perfrmed as a mre r less separate audit activity, with the audit evidence needed t frm an audit pinin being btained chiefly by substantive prcedures. See ur earlier remark in sectin 2.5.2, where we stated that the risk analysis did nt always identify a clear cnnectin between the assessed risks accrding t the risk analysis and the chice f audit prcedures (mix f tests f cntrls and substantive prcedures); a standard (substantive-prcedures based) audit apprach was ften chsen, with n clear relatinship t the assessed inherent and cntrl risks. If the internal cntrl risk is lw r medium, the auditr can rely partly n tests f cntrls t reduce the amunt f substantive testing. Perfrming mre tests f cntrls culd als increase the audit impact: mre findings n the functining f internal cntrl systems can lead t mre recmmendatins fr the auditees and eventually t a better functining internal cntrl system. A psitive develpment is the requirement f written representatins frm auditees (required by ISSAI 1580), althugh these are nt yet used in all financial audits. Finally, in sme f the audits reviewed a lt f audit wrk was perfrmed late in the audit cycle (spring f year n+1). Earlier executin f audit activities results in a better spread f the audit wrk acrss the audit cycle and gives the entities the pssibility t crrect errrs befre the financial year is ver and the statements are prduced. 16

18 2.8 Dcumentatin and audit trail The financial audit prcess is cmpletely digitalized. All INAO s emplyees have access t all files, which wrks efficiently but is als a risk (cnsidered a small risk by the INAO). The audits are dcumented in ne f the audit management systems (Descartes r TeamMate), and partly utside f these tw systems in an electrnic file system (ONE) r n the harddisk f the INAO. Audit findings are recrded in the system by the auditr and reviewed and signed ff by the audit manager. As nted abve, the audit files are neither reviewed by the financial audit directr nr by anther auditr utside the audit team. The peer review team cncluded frm the review f the five individual audits that, althugh the audit activities were in general well recrded in the files, in sme instances nt all audit activities perfrmed were recrded in full and/r signed ff by the audit divisin manager in the audit files (ISSAI 1230). It is imprtant that the audit files cntain sufficient infrmatin t allw an experienced auditr, nt invlved in the audit, t independently recnstruct hw the audit pinin was frmed. 2.9 Reprting The INAO publishes ne summarizing financial audit reprt n its financial audits in Octber/Nvember n+1, including the pinin n true and fair view f the accunts. The reprt, called The Audit f the Central Gvernment Accunts, cntains a summary f all the financial audits perfrmed during the year, the principal findings f these audits, and cmments. There are n findings per ministry r audit bject, just an verall pinin n the accunts and a summary f the mst imprtant findings. The reprt culd be cnsidered smewhat lengthy, but the main cnclusins and recmmendatins are presented separately in the beginning f the reprt. In the main text f the reprt the mre imprtant findings and cnclusins and the less imprtant nes are nt always clearly distinguished. There is n written prcedure t weigh the findings (hw findings affect the verall pinin). The INAO requests the auditees t respnd t audit findings and cnclusins/recmmendatins 12 presented in the annual reprt. The 12 There are varius terms fr this prcedure, like cntradictry prcedure, adversarial (r) adversary prcedure, bilateral discussin prcedure. This prcedure means that (draft) audit 17

19 Ministry f Finance and the State Accunting Office receive the draft reprt fr cmments. Cmments are given verbally, nt in writing. The respnses t the main cnclusins and recmmendatins are nt incrprated in the reprt. The Auditr General presents the reprt t the Budget Cmmittee f Parliament in persn. The Budget Cmmittee has issued pinins n the INAO s reprts in recent years. They cntain questins and attentin pints fr the gvernment. This prcedure gives the reprt mre impact, which is a psitive develpment. The INAO issues a press release, with a summary f the mst imprtant findings, and publishes the reprt n its website. The INAO des nt rganize briefings. Finally, the timeliness f publishing the annual reprt is imprtant. The Budget Cmmittee f Parliament needs t receive the reprt as sn as pssible; publicatin in Nvember, as ccurred in 2012, is (t) late. 13 Late publicatin reduces impact. The INAO tries t publish its annual reprt as sn as pssible after the summer hliday perid (it aims at early Octber) but smetimes the publicatin takes lnger than planned, which is due smetimes t external factrs (delay in accunts). Fr individual financial audits a reprt is drafted, auditees are requested t respnd t audit findings and cnclusins/recmmendatins (but nly in the case f the larger audit bjects), and a final reprt is send t the auditee and a cpy t the ministry invlved. The respnse f the auditee t the main cnclusins and recmmendatins is nt incrprated in the final reprt. The minister is nt accuntable fr agencies and ther entities under his/her remit s nly cpies f individual (final) reprts are send t the minister (there is n ministerial respnse t the audit findings and cnclusins/recmmendatins). It is als imprtant t nte that the individual reprts are nt published. There is n standard frmat (template) fr all kinds f reprts, althugh there is a standard frmat fr A-part audit reprts and many reprts have the same cnstructin. Mst f the five reprts reviewed were generally in agreement with the ISSAIs (400 and 1700), althugh sme requirements were nt yet fulfilled. The respnsibilities f the auditr and the auditee, fr example, were nt explicitly mentined in the reprts. All reprts/accunts are reviewed by the audit divisin manager, financial audit directr and the Auditr General (althugh these reviews are nt always visibly recrded in the audit files; ISSAI 1230). reprts are sent t the auditee with a request fr a written respnse within a given time-limit. Often this prcedure cnsists f tw phases: (1) require a check f the facts (findings) and (2) require a respnse frm the bard f the audited entity t the cnclusins and recmmendatins. 13 In 2013 the 2012 Annual Reprt was published early Octber. 18

20 Accrding t the ISSAIs (ISSAI 400, sectin 7) the cntents f audit reprts shuld be easy t understand and free frm vagueness r ambiguity, include nly infrmatin which is supprted by cmpetent and relevant audit evidence, and be independent, bjective, fair and cnstructive. The five individual audit reprts reviewed cntained the audit findings, but there was (t) much fcus n the audit prcedures perfrmed by the INAO, which made the reprts very descriptive. 14 There was n clear link between the main audit bjectives/questins, standards/nrms, findings, cnclusins and recmmendatins (fr example in table frm). Findings were nt quantified. There was nt always a distinctin between the main (mre serius) findings and cnclusins and the less imprtant findings and cnclusins in each individual audit reprt, althugh in A-part audit reprts the standard practice is t summarize majr findings at the end f each reprt. Finally, there is n audit actin list fr each financial audit. There is n written prcedure t fllw up the audit findings, but the INAO des dcument a cmpilatin f majr findings t be used in the risk analysis fr the fllwing year. The majr findings are als summarized at the end f the published summary annual financial audit reprt. 14 Accrding t the INAO their reprts are already much less descriptive than a decade ag. 19

21 3 Cnclusins and recmmendatins 3.1 Intrductin In this chapter the peer review team presents its answers t the three main peer review questins: What is the quality f the INAO s financial audits and t what extent are they in accrdance with INTOSAI standards? What recmmendatins can be given t the INAO t imprve the quality f its financial audits? Hw can the INAO s risk assessment cncerning the financial audits be imprved, t reduce the audit gap? Once again we wuld like t stress the nature f ur cnclusins and recmmendatins. Critical cnclusins shuld nt be interpreted as shrtcmings per se, but as cmparisns with the extensive INTOSAI Standards (ISSAIs). The INAO is still in the prcess f adpting ISSAIs and is nt finished yet. Implementing ISSAIs is a majr challenge t all SAIs and especially t relatively small SAIs such as the INAO. Critical cnclusins and accmpanying recmmendatins shuld be interpreted in this light as bservatins that the INAO culd use t bring its financial audit practice further int line with the INTOSAI standards. 3.2 Main cnclusin Our main cnclusin is that the INAO is ding a gd jb in its financial audit practice and is well n the way t adpt the ISSAIs, but is nt there yet. The peer review team sees pssibilities t enhance the quality f the INAO s financial audits further and t cmply mre fully with the ISSAIs. Belw we present sme mre detailed cnclusins, accmpanied by recmmendatins. 20

22 3.3 Specific cnclusins and recmmendatins In general Firstly, we cnclude in general that the INAO faces sme majr challenges in its financial audit practice. Sme f the main challenges are: The INAO is nt able t audit all audit bjects every year and fr this reasn uses a risk-based selectin f audit bjects in rder t (1) cver sufficient audit bjects t be able t issue its annual audit pinin; and (2) audit every audit bject at least nce every three years. It is difficult fr the INAO t audit every audit bject effectively every three years. On the ther hand the INAO is able t utsurce sme f its audit wrk and the INAO perfrms sme tasks that are nt bligatry, such as preparing accunts befre auditing them and issuing nn-bligatry annual audit pinins t auditees n request. The INAO is in the prcess f adpting ISSAIs, which means it has t invest extra time (changing audit methds and prcedures, educating staff, preparing manuals, perfrming quality cntrl measures, perfrming additinal (bligatry) audit activities, etc.). The INAO has stated that it has experienced a reductin in staff and difficulty hiring CPAs in recent years. Recmmendatin: We recmmend that the INAO frmulates a strategy, including a time schedule, that effectively deals with these challenges: which measures, prescribed by the ISSAIs, have t be implemented (when) with pririty (ISSAI implementatin plan)? which audit tasks must the INAO perfrm itself and which audit tasks can be utsurced? which activities can be ended? what capacity (in quantity and quality terms) is needed? This strategy can als be used fr cmmunicatin with Parliament. Further t this general cnclusin and recmmendatin, we present mre specific cnclusins and recmmendatins fr each f the subjects f the peer review: institutinal cntext, rganizatin f the financial audit practice, audit bjects, planning/risk analysis, quality cntrl and assurance, executin, dcumentatin and audit trail, reprting. 21

23 3.3.2 Institutinal cntext With regard t the institutinal cntext we cnclude that the INAO is bliged t perfrm sme audit tasks that are unusual fr many SAIs, such as mnitring the executin f the Budget 15 (in many cuntries a task fr the ministry f Finance). We als cnclude that the INAO perfrms a (nn-bligatry) rle that is unusual fr SAIs: helping smaller entities prepare their accunts befre auditing them. The INAO has started the challenging implementatin f the ISSAIs vluntarily, in anticipatin f their intended bligatry adptin f these standards after implementatin f the new Natinal Audit Act. Finally we cnclude that the INAO is nt bliged t issue an pinin n the legality and regularity f financial transactins underlying the annual accunts. Recmmendatin: In view f the size f the INAO, we recmmend that the INAO effectively utilizes its resurces n nly its cre tasks and challenges. If pssible, the INAO shuld discuss the necessity f its nn-typical rles with Parliament, such as mnitring the executin f the Budget Organizatin f the financial audit practice Regarding the rganizatin f the financial audit practice we cnclude that: the financial audit practice is lgically psitined in the rganizatin; the capacity is relatively small and has been reduced recently (the INAO experiences a shrtage f staff); hiring CPAs and auditr rtatin are difficult; the audit prcess is being revised and Financial Audit Guidelines are being prepared as part f the ISSAI implementatin; the INAO uses tw audit management systems, which can lead t inefficiency and differences in executing and dcumenting audits; the INAO utsurces sme f its audit tasks (5% f expenditures f A- part and the majrity f entities f B-E-part f the Budget) and cncerning utsurced audits regarding A-part f the Budget - relies n the wrk f these hired external auditrs withut reviewing the quality f their wrk and the apprpriateness f their reprts and pinins. Recmmendatin: We recmmend that the INAO further implements the Financial Audit Guidelines in accrdance with the ISSAIs, cnsiders switching t ne audit management system fr efficiency and cnsistency reasns, and - in 15 As stated befre this is nt a task f the Financial Audit Department. 22

24 the case f audits regarding A-part f the Budget - reviews the wrk f hired external auditrs in line with the ISSAIs. The experienced shrtage f staff shuld be addressed in the afrementined strategy and discussed with Parliament and ther stakehlders Audit bjects The INAO has t audit a large amunt (in 2012 a ttal f 471) f audit bjects, t many t audit every year, given its capacity. The INAO therefre uses a risk-based selectin f audit bjects and aims t audit all audit bjects at least nce every three years. Further cnclusins and recmmendatins n this subject are presented belw (verall audit planning) Planning/risk analysis Planning the financial audits is ne f the mst crucial phases f the INAO s financial audit practice. With regard t the verall audit planning we cnclude firstly that riskbased selectin f audit bjects, based n ten risk factrs, is a necessity, but might becme mre risk-based by giving greater weight t all risk factrs (in practice the selectin is mainly based n scpe f expenditures). We als cnclude that the INAO is experiencing difficulties in realizing its aim f auditing all audit bjects nce every three years, accrding t the INAO because f a shrtage f resurces (staff and funds). Furthermre, the INAO has started (2013) auditing similar, smaller audit bjects (like schls) as grups, which culd lead t mre audit efficiency, and is cnsidering utsurcing mre audit tasks. Finally, the INAO still perfrms sme nn-bligatry services (as nted abve), which means less capacity fr bligatry tasks, althugh the INAO has started (2013) t reduce these services. Recmmendatin: We recmmend that the INAO makes its selectin f audit bjects mre risk-based, audits similar audit bjects as grups, cnsiders a further reductin f its nn-bligatry activities, and recnsiders its utsurcing strategy. If there is an increase in the number f internal audit departments at audit bjects, we als recmmend that the INAO ascertains whether it can use the wrk f these internal auditrs in accrdance with ISSAI

25 The peer review team feels it is essential that the INAO realizes its aimed audit cverage, either by making sure it can reach its target f all audit bjects nce every three years, r by revising this target ( all audit bjects nce every x years ). In this cntext it shuld be kept in mind that the INAO will need t dedicate part f its existing capacity t cmply fully with ISSAIs (see ther recmmendatins). Finally, with respect t the utsurcing strategy, we have tw recmmendatins. Firstly, it culd be argued that sme amunt f reviewing the wrk f hired external auditrs fr audits regarding A-part f the Budget is necessary accrding t the ISSAIs (1600), s sme capacity shuld be reserved fr this activity. Secndly, the INAO shuld chse between efficiency purpses (fr example, utsurce all audit wrk utside f A-part f the Budget) and knwledge purpses (retain sme audits in B-E parts f the Budget t preserve knwledge f auditing audit bjects utside f A-part f the Budget). The peer review team wuld favur auditing audit bjects in all parts f the Budget t preserve knwledge. With regard t the individual audit planning we cnclude firstly that the INAO des nt use standard templates fr audit plans and that the audit plans it des use are diverse and dcumented partly in separate dcuments and partly in the audit management systems. Secndly, the invlvement f the engagement partners (financial audit directr and Auditr General) and the resulting apprval f the audit plan are nt frmally arranged yet. Audit plans are nt discussed with auditees. Furthermre, the risk analysis and the attentin t the risk f fraud in the audit planning phase can be imprved. Recmmendatin: We recmmend that the INAO develps a standard template fr audit plans in accrdance with the ISSAIs, develps and uses standard audit prgrams/checklists (custmized fr every audit) wherever pssible, frmalizes the rle f the engagement partners and the apprval f audit plans, discusses audit plans with auditees, and imprves the risk analysis and attentin t fraud risk Quality cntrl and assurance The ISSAIs give special emphasis t quality cntrl and assurance. We cnclude that the INAO is wrking hard t implement quality cntrl (QC) measures and has finished a draft QC system, which nw has t be fully implemented. Nt all necessary QC measures were in place yet during the peer review. An imprtant missin yet is the absence f reviews f audit 24

26 files by auditrs utside the audit team and the frmal (visible) invlvement f the engagement partners in signing ff crucial phases and dcuments. The INAO states that the scarcity f staff is a prblem in realizing an ISSAI-prf QC system. The INAO has implemented sme quality assurance methds, such as reviews by external parties. Recmmendatin: We recmmend that the INAO further implements its develped quality cntrl system and in additin frmally arranges reviews f audit files by auditrs utside the audit teams and visible invlvement f the engagement partners in crucial phases f the audits. The INAO culd cnsider frming a pl f senir auditrs t review the wrk f audit teams. We als recmmend t arrange that an utside party perfrms an external quality assurance review every tw t fur years Executin With respect t the executin f financial audits we cnclude that in general the audits reviewed were executed as planned, althugh sme imprvements were pssible with regard t standardizatin in perfrming audits, the use f tests f cntrls, and, perhaps, the perid in which audit wrk is perfrmed. Recmmendatin: We recmmend that the INAO cnsiders, where pssible, further standardizatin f audit prcedures, mre extensive use f tests f cntrls, and perfrmance f audit prcedures earlier in the audit cycle Dcumentatin and audit trail Regarding dcumentatin and audit trail we cnclude that the audits are in general well dcumented in the tw audit management systems, althugh the audit files are nt reviewed by auditrs utside the audit team (see quality cntrl) and in sme instances nt all perfrmed audit activities were cmpletely recrded and/r signed ff in the audit files. Recmmendatin: We recmmend that the INAO makes sure audit files f all perfrmed financial audits are cmplete and internally reviewed and signed ff. 25

27 3.3.9 Reprting Finally, with respect t reprting, the INAO publishes ne verall financial audit reprt and issues (nt publishes) audit reprts n all individual audits. With regard t the verall annual reprt we cnclude that: the verall annual audit reprt can be cnsidered smewhat lengthy, cntains a summary f the majr findings f all financial audits perfrmed, and in the main text des nt always distinguish between the mre imprtant findings and the less imprtant nes; auditees are requested t respnd t audit findings and cnclusins/- recmmendatins, but cmments are nt required in writing and the respnses f auditees t the main cnclusins and recmmendatins are nt incrprated in the reprt; the reprt is used extensively by Parliament (the Budget Cmmittee issues an pinin n the reprt); publicatin f the reprt is smetimes late, smetimes because f external factrs, which reduces the impact. With regard t the audit reprts n individual audits we cnclude that: the reprts are nt published, but sent t the auditee and a cpy t the ministry cncerned; the reprts generally cntain mst f the cntents required accrding t ISSAIs, with sme exceptins; there is n standard reprt (template) fr all reprts (althugh there is a standard frmat fr A-part audit reprts and many reprts have the same cnstructin); all reprts are reviewed by the engagement partners (bth financial audit directr and Auditr General), althugh nt always visibly s in the audit files; the reprts are ften very descriptive, with (t) much fcus n audit activities perfrmed, d nt cntain a clear link between main audit bjectives/questins, standards/nrms, findings, cnclusins and recmmendatins, and d nt always clearly distinguish between the mre imprtant and the less imprtant findings (althugh in A-part audit reprts the standard practice is t summarize majr findings at the end f each reprt); auditees are requested t respnd t audit findings and cnclusins/- recmmendatins in individual reprts, but nly fr the larger audit bjects; als the ministries are nt invlved in this prcedure, and the respnses f auditees t the main cnclusins and recmmendatins are nt incrprated in the reprt; 26